- Upbit fixed a wallet vulnerability after a $30 million hack involving Solana.
- Withdrawals were halted and some stolen funds were frozen following the attack.
- Authorities are investigating possible involvement by the Lazarus group.
South Korea’s largest cryptocurrency exchange, Upbit, disclosed a serious internal wallet vulnerability during an emergency review after a $30 million hack.
The finding coincides with the company’s ongoing probe into irregular Solana-based withdrawals that triggered the security inspection, raising concerns about potential exposure of private keys in the platform’s wallet implementation.
Flaw discovered during emergency inspection
An emergency inspection launched after unusual activity was detected on November 26 revealed a flaw in Upbit’s internal wallet software that could allow attackers to mathematically derive private keys by analyzing blockchain transaction data.
CEO Oh Kyung-seok explained in a post-inspection notice that while blockchain data is normally public but secure, the exchange’s wallet implementation produced weak and predictable signature information, creating a theoretical risk.
Upbit emphasized the flaw was only found through a systems-level review and is not directly confirmed to be the cause of the hack itself.
The exchange says it has patched the vulnerability and completed a comprehensive audit of related networks and wallet systems to ensure no other weaknesses remain.
Upbit will cover losses from its own reserves
The hack cost Upbit approximately 44.5 billion KRW in total losses, including around 38.6 billion KRW of customer funds, prompting immediate action by the exchange.
Withdrawals were suspended and remaining assets were moved to cold storage to prevent further losses.
About 2.3 billion KRW of the stolen funds—roughly $1.5 million—has already been frozen.
Oh Kyung-seok described the episode as a reminder that no security system is infallible.
He reassured customers that Upbit will cover all losses from its own reserves and pledged to strengthen security measures across the platform.
The exchange committed to resuming deposits and withdrawals only after final verification of its wallet systems.
South Korean authorities investigate the hack
South Korean authorities have opened an investigation into the incident, and early intelligence reports point to possible involvement by the Lazarus hacking group, which is linked to North Korea.
Although Upbit and law enforcement have not publicly confirmed those allegations, the exchange is cooperating with investigators and blockchain tracing projects to recover and freeze stolen assets wherever possible.
The case prompted Upbit to carry out a wider security review of its entire infrastructure.
The exchange said irregular withdrawals from Solana-related wallets, involving tokens such as ORCA, RAY and JUP, served as the catalyst for the emergency inspection and the subsequent discovery of vulnerabilities.
By overhauling its wallet systems, Upbit aims to prevent similar breaches in the future.